#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }
        chain forward {
                type filter hook forward priority 0; policy drop;
                iif "wg0" oif "eth0" accept;
                iif "eth0" oif "wg0" ct state related,established accept;

                iif "wg0" oif "tun0" accept;
                iif "tun0" oif "wg0" ct state related,established accept;
        }
        chain output {
                type filter hook output priority 0; policy accept;
        }
}

table ip nat {
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                oif "eth0" masquerade;
        }
}

table ip6 nat {
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                oif "eth0" masquerade;
                oif "tun0" masquerade;
        }
}
